By Phil Vasic regional director, Clearswift.
In the web world today, councils and agencies are facing a bewildering challenge, on one hand, there’s the intensely fast move towards transparency, efficiency and collaboration and on the other lurk significant challenges such a data breaches, productivity and fraud.
There’s simply no merit in a black and white stop and block approach to ‘managing’ online challenges as they continue to evolve and throw a curve ball in our path. Imagine if we had banned motor vehicles to avoid accidents, or discouraged air travel in the event the plane never made it into the air.
However, it is clear that as technology for sharing information becomes more sophisticated and embedded in our lives, it becomes more important for those with access to data to understand the consequences of their activities online, and of what is permitted and safe, in comparison to which activities may be putting data security and indeed, elements of their personal life or business reputation, at risk.
This has become particularly pertinent over the last five years as our online work and personal behaviour and habits have become interchangeable.
No longer do we furtively check our personal emails or carry a separate work / personal mobile phone. Nowadays, we openly access and engage with sites like Facebook, or Twitter during the course of the working day. This has led to a blurring of lines in the responsibility for company information, opinion, and data going in and out of a business.
Contrary to popular belief, traditional stop and block security simply does not work in this new world: It doesn’t take into account the varying requirements of different departments or job roles, and it completely ignores the fact that many organisations do not want to completely cut off employees’ use of such tools. In fact, many organisations see considerable opportunity in making use of the contacts and influence that its online networks offer.
Recent research into attitudes towards collaborative web technologies in the workplace showed that more than half of business managers believe that web collaboration technology is now ‘critical’ to the future success of their business.
It’s not just talking the talk, compared to 2007 when just 11 percent of businesses were making use of Web 2.0 technologies over two-thirds of companies now allow use of web collaboration or social media tools in the workplace.
However, as we stand right in the thick of this online wave, it does seem that not a month goes by without some embarrassing, costly or compromising security breach or inappropriate online post occurring online – sometimes witting, sometimes unwitting.
In Australia, there have been a number of high-profile incidents recently which have involved consumer data breaches and unauthorised posting of materials. These serve as a reminder to organisations about the importance of security breaches, policy enforcement and well-communicated expectations and consequences.
The imminent Kokoda Foundation Report, “Optimising Australia's response to the cyber challenge”, will go a long way to publicly acknowledge the rise of cybersecurity and perhaps bring the conversation around policy a little higher on the management agenda.
I believe that any spotlight thrown over the ever-present challenge of tackling cybersecurity can only be beneficial, because from consumers to industry to government, the ongoing review, audit, action, education and communication of security policy, conducted as a cyclical process, can’t ever start to go far enough.
IT security in this Web 2.0 world requires a new appreciation of security as more than just a cost. The public sector, from large Government agencies right through to local councils, needs to realise that modern IT security presents a real and measurable business value.
This might include opportunities to engage new audiences, the ability to improve and enhance customer relationships and communication, and improve staff morale.
Indeed, in a bold move, AGIMO (Australian Government Information Management Office) is considering options to add more social media functionality into future versions of its govdex internal collaboration service, according to a blog post by John Sheridan, First Assistant Secretary.
His recommendation is that this would provide a safe environment in which people can experiment with social media without some of the risks of the mainstream varieties, arguing rightfully, that education about social media is vital if successful uptake of social media in government agencies and departments is to take place.
This follows AGIMO’s data.australia.gov.au centrally hosted dataset repository launch in December to streamline FOI (Freedom of Information) requests from federal, state and territory governments where applicable.
A similar feature is already available on the NSW Government’s own data repository, but has since been used as a reactive gauge of what data should be released, largely from the Roads and Traffic Authority, NSW Health and RailCorp.
Security software alone will never prove the most effective approach, or at least it will never enable organisations to realise the full value. To be really effective, organisations need to demonstrate a shift-change in the way IT security is approached throughout their operations.
Here’s the thing; mention IT and web security policy to someone in the workplace or at a barbeque and watch their eyes glaze over. You might as well be talking about your electricity service. It’s one of those things we just assume is there, working. Well, working, that is, until something goes wrong.
And perhaps AGIMO’s consideration of an internal testbed environment is a safe bet.
It’s time for organisations to make policy a living, breathing part of their operations, something that is relevant to everyday working life and not just a tick in the box when it comes to an employee’s induction period (a third of those we surveyed recently had not received any training on IT security since joining their firm).
All too often, a policy is simply a document that is referred to only when a breach occurs – almost proof that someone ‘should have known better’.
There is little or no point in having an IT security policy in place unless staff across the business is fully aware of it and, more importantly, understand the reasons why the rules are in place. Education and the explanation of web and email policies means that employees across the business can actively take on board the risks and adapt their behaviour in the long term.
This is not inconceivable, after all, we trust all manner of public servants to engage with the public every day, over counters and over the phone so it should be expected that we can trust them on social media too.
Policy should be determined holistically, taking an organisational view about new web services. Organisations need to consult with key stakeholders, not only the IT or HR departments, to establish the organisational benefits, understand the risks and evolve the company’s usage policy accordingly.
I believe that security should not be a cloak and dagger affair, or driven by fear and reprisals, it should be open, visible, evolving and engaging. By bringing IT security out of the shadows and educating employees on the risks and the protection in place, all organisations can benefit from Web 2.0 and other collaborative technologies.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at email@example.com.
Sign up to the Government News newsletter